===== How OCAP effects AS9100 Companies =====

The revised [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] requires AS 9100 CBs (Certification Bodies... i.e., Registrars) the use of an "//Organization Certification Analysis Process (OCAP)//" to determine an overall "risk rating" for each registered company. This "risk-rating" will then be used during audit planning — to provide reductions or increases (by ±10%, as per AS9104/1A, "//Table 9 - Audit Duration Risk Adjustments//") in certification and surveillance audit durations (i.e., number of audit days required) from baseline audit durations found in AS9104/1A, "Table 8 - Audit Duration Per Site". 

The OCAP is defined in [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] as: 
<blockquote>3.8 Organization Certification Analysis Process (OCAP) \\
An interactive process between the organization and CB to determine the organization’s AQMS scope and associated certification audit program, and conduct a risk assessment for certification within the ICOP scheme.</blockquote>

<note>The OCAP does NOT impact ISO 9001 certified companies. However, ISO 9001 audit time is subject to numerous considerations (addressed in [[https://iaf.nu/en/iaf-documents-categories/|IAF MD5 "Determination of Audit Time for QMS-EMS-OHS Audits”]], sec. 8, "//Factors for Adjustments of Audit Time of Management Systems (QMS, EMS, and OH&SMS)//").</note>

The new OCAP process is required to be implemented by the Certifying Bodies (CB) no later than 12 months after publication of the revised [[https://www.sae.org/standards/content/as9104/1a/|SAE AS9104/1A]] which was published on 1/7/22.

The new OCAP process requires each Certified Organization (i.e., AS 9100 series registered company) to submit data to the Certifying Body (CB) — no more than 90 days prior to the start of the audit. This data will be gathered using a questionnaire — and the answers provided will be used by the CB for determining an overall "risk rating" (High, Medium, Low) for the certified company. The overall "risk rating" is calculated using AS9104/1A, Table 7 - "//Organizational Risk Determination//", shown below.

^  AS9104/1A, Table 7 - Organizational Risk Determination  ^^^^^^
^  Risk Factor  ^ Data Source  ^  LOW (1)  ^  MED (3)  ^ HIGH (6)  ^  Risk Score  ^
| Complexity  |  Figure 2  |  Low  |  Med  |  High  |  A  |
| Internal Audit  |  Table 5  |  Low  |  Med  |  High  |  B  |
| On-Time Delivery  |  Organization   |  Exceeds  |  Meets  |  Below  |  C  |
| Conformity of Delivered Product or Service (e.g., item escape rate)  |  Organization   |  Exceeds  |  Meets  |  Below  |  D  |
| Customer Complaints / Feedback  |  Organization   |  Exceeds  |  Meets  |  Below  |  E  |
| AQMS Process Effectiveness from Previous Audit Report  |  PEARs (lowest value)   |  5  |  3-4  |  1-2  |  F  |
|  Total Risk Score = ∑(A+B+C+D+E+F) = R |||||  R  |
| When R = (36 to 25) Risk is HIGH, (24 to 12) Risk is MED, (11 to 6) Risk is LOW  \\ Example: A=High (6), B=Low (1), C=Low (1), D=Med (3), E=Med (3), and F=Low (1). Therefore ∑(6+1+1+3+3+1) = 15 \\ Organizational Risk = Medium  ||||||

While there is //really// nothing that a company can do to alter its complexity, the remaining "Risk Factors" are completely in control of the business.

==== Internal Audit ====

The "Risk Factor" criteria relating to internal audit performance is:
^  AS9104/1A, Table 5 - Internal audit program risk analysis  ^^^
^  Internal Audit Program  ^  Risk  ^  Characteristics  ^
|  High Performing Audit Program  |  Low  | • Properly resourced audit program \\ • Multi-event audit program, audit full QMS annually \\  • Audit program driven by risk and data \\  • Effective corrective action program  |
|  Average Audit Program  |  Medium  | • Limited resources for audit program \\ • Internal audit is an annual event \\  • Full QMS is covered annually \\  • Conforming corrective action program  |
|  Low Performing Audit Program  |  High  | • Audit program is not properly resourced \\ • Primarily desktop audits \\ • Audit program does not prevent major nonconformities from third-party audits \\ • Full QMS not covered annually \\ • Ineffective corrective action program  | 

  - The criterion relating to a "//Multi-event audit program, audit full QMS annually//" means that, in order to be classified as a low risk, the company must "spread out" their internal audits over the course of a year (e.g., Quarterly, Monthly). For small companies, this could be difficult, but with only two or three core processes, these could be broken out to be 2 or 3 separate audits (with separate audit reports).
  - The criterion relating to an "//Audit program driven by risk and data//" is not defined AS9104/1A or any other AS or ISO standard that I could locate. However, the "[[https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20to%20ISO%209001%202015/APG-InternalAudit2015.pdf|ISO 9001 Auditing Practices Group - Guidance on: INTERNAL AUDITS]]" does contain a very good description of "what" a "risk-based" audit is. 

<blockquote>"ISO 9001 Auditing Practices Group - Guidance on: INTERNAL AUDITS", page 1-2 states: \\ //By applying risk-based thinking, this requirement is intended to focus the internal audit program on those processes and areas where past history indicates that problems have occurred, or where problems are likely to be ongoing, or are likely to occur, because of the nature of the processes themselves. These problems may result from issues such as human factors, process capability, measurement sensitivity, changing customer requirements,
changes in the work environment, etc. \\
The processes with higher levels of risk or nonconformities should have priority in the
internal audit programme.// \\
Special attention should be given to processes where risk is influenced by factors such as:
  * //severe consequences of failure on process capability.//
  * //customer dissatisfaction.//
  * //noncompliance with product (or process) statutory and regulatory requirements.//
</blockquote>

Expanding on the above description of a "risk-based" audit, below are some specific "factors" that "could" be considered when planning a "risk-based" audit (e.g., scheduled over the course of a year):
    * Areas where nonconformities had been identified during previous internal audits
    * Areas where the CB had issued nonconformities
    * Areas with multiple instances of nonconforming product
    * Areas that have resulted in "escapes" (i.e., shipment of nonconforming product to customers)
    * Areas high new employees and/or high employee "turn-over"
    * Areas with complex processes
    * Areas where the process flow has been changed (e.g., due to improvement activities)
    * Areas where new processes have been implemented (e.g., a new product line introduced)
    * Areas that are particularly subject to human factors (e.g., human errors)


==== Performance-based Surveillance/Recertification (PBS/RP) Program ====

Existing AS9100 Registered companies have the option to apply for "Performance-based Surveillance/Recertification Process" (Described in AS9104/1A, "Appendix D"). This option allows for a 33% Reduction in the Audit Duration (Maximum of 50%). THe criteria for this option are defined in AS9104/1A, "//Table D.1 - Performance-based Surveillance/Recertification Process Requirements//". The "//PBS/RP Qualification Requirements and Criteria//" relating to internal auditors who are that they have successfully completed an "Aviation, Space and Defense (ASD)" Lead Auditor Course provided by a "Training Provider Approval Body (TPAB)".


  - The criterion relating to an "//Audit program driven by risk and data//" is defined in the criteria for the optional "Performance-based Surveillance/Recertification Process" (Described in AS9104/1A, "//Table D.1 - Performance-based Surveillance/Recertification Process Requirements//". The "//PBS/RP Qualification Requirements and Criteria//" relating to the internal audit program states:

<blockquote>C. Implementation of an Internal Audit Program in accordance with ISO 19011, including: \\ 
• Annual audit of all applicable AQMS requirements; and \\
• Defined, structured, multiple event audit program that adjusts throughout the calendar year based upon:
  * performance;
  * customer complaints; 
  * risk; and
  * change management.
</blockquote>
 
<note important>It should be pointed out that [[https://www.iso.org/standard/70017.html|ISO 19011, "Guidelines for auditing management systems"]] is a GUIDANCE document... NOT a standard. The word "shall" does not appear in any section of ISO 19011 other than the "Foreword". </note>
